The evidence collector that’s always with you

It is an integral part of our life these days and an item that is rarely further than arm’s reach. There are thousands of different models running various operating systems. With each year comes a larger device with the latest devices having a storage capacity of up to 512GB with expandable memory of another 512GB. As you would have guessed, I’m talking about mobile phones. 1TB is a lot of data, but what sort of useable data can we get from a mobile phone?

Let’s think of it in terms of an investigation. One of your staff members has been accused of stalking and harassing a fellow staff member. What steps do you take to secure the potential evidence that is located on their work mobile and what type of evidence would you find?

Can you obtain the device?

The first step is to work out whether you have any legal right to obtain the device. Some companies will issue their staff a mobile device and other companies may allow bring your own device (BYOD). Certain states even allow surveillance of personal devices when they are being used at work using work wifi systems. In some instances, a person may provide consent for their mobile device to be imaged and reviewed and in these instances, you would ensure they have provided written confirmation. In other instances, you may need to rely on the company policies or you may not have any right to the device itself. The key to this first step is the policy the staff member has agreed to which will require discussion with your IT and legal team.

Secure evidence

Similar to any electronic devices which may contain key data, if the device is on, try to utilise a power source to keep the device powered on. If the device is off, leave the device in this state. If the device is on, enable airplane/flight mode. This will ensure they are not able to remotely wipe the device. You will need to obtain the PIN code from the staff member in majority of instances. Some devices can be accessed using software without the PIN code, however this will not be applicable to the latest devices.

Forensically acquire device

Mobile phones are becoming increasingly more difficult to obtain the data from so we would recommend you utilise forensic software and hardware to take an image of the device. Forensic software will have varying levels of interactions with the mobile device, which can affect whether the data itself is defensible, so make sure you research what software is forensically sound and you obtain suitable training in case the matter requires attendance in court. Through suitable training and certification, you will be able to justify the actions you have taken in imaging the device and explain how the information was obtained from the data set.

Avenues of investigation

The following are some potential avenues of investigation that relate to data obtained from a mobile device:

Correspondence between the two parties
This could include call logs, SMS/MMS/iChat messages, various chat applications such as WhatsApp, WeChat, Viber, Messenger etc.

Correspondence between the accused and third parties that may mention the defendant

Internet history
This could show the accused performing searches online for the defendants’ address, social media accounts, etc.

Media
This could include photos or videos that the accused has taken of the defendant which could also include valuable data such as time stamps and GPS coordinates.

Location data
This could provide GPS coordinates to indicate at certain points of time where the accused was in relation to the defendant.

Recover deleted data
In some instances, data that has been deleted such as messages can be recovered. As with all deleted data, time is of the essence. The likelihood of recovering deleted data will decrease with time, especially with mobile devices.

Linked Devices
Bluetooth history from the device may indicate linked devices such as smartwatches or car entertainment units which could provide further avenues to investigate.

Cloud StorageThe above considerations relate to data contained on the device however a review of the applications may provide further avenues to investigate such as cloud storage of the device or individual applications.

These avenues of investigation can be performed alongside the defendants’ statement and a forensic image of their mobile device to corroborate or contradict their claims.

At the end of the day, forensic evidence can be a key source of truth to decipher between contradicting statements.

Ideally, everyone should have a basic understanding of the company’s IT infrastructure, not least because as more companies digitise, the risk of cyber threats increases. A cyberattack can come from anywhere ...

With recent headlines highlighting the damage and embarrassment that can be caused by poorly redacted documents, it is no wonder many firms and corporates are turning to legal document management specialists to secure their redactions ...

The dawn raid has led to the forensic collection of 100,000 documents, now safely secured on a hard drive. What is the process from here? It’s important to plan your strategy in advance to minimise downtime, extract relevant documents and ...

What are the current trends in forensic investigations for cross-border matters? Head of Forensics - Erick Gunawan, looks at the constant evolution in data types and volumes, and the ever-tightening data privacy laws and regulatory intervention ...

In-house counsel are often called on to manage an internal investigation. How can you effectively plan for and manage these investigations? We explore how electronic discovery (eDiscovery) tools help you mitigate risk and achieve your fact-finding mission.